From 7b77853439305cc43acd952557d1b8f4bced47e3 Mon Sep 17 00:00:00 2001 From: Demi Obenour Date: Sun, 22 Mar 2020 21:05:24 +0000 Subject: [PATCH] Be strict about critical extensions Require that unknown critical extensions cause the connection attempt to be aborted. --- tls/tls.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tls/tls.md b/tls/tls.md index 0e726e6..95b6cae 100644 --- a/tls/tls.md +++ b/tls/tls.md @@ -58,7 +58,7 @@ Endpoints MUST choose a key that will allow the peer to verify the certificate ( Endpoints MUST NOT send a certificate chain that contains more than one certificate. The certificate MUST have `NotBefore` and `NotAfter` fields set such that the certificate is valid at the time it is received by the peer. When receiving the certificate chain, an endpoint MUST check these conditions and abort the connection attempt if (a) the presented certificate is not yet valid, OR (b) if it is expired. Endpoints MUST abort the connection attempt if more than one certificate is received, or if the certificate’s self-signature is not valid. -The certificate MUST contain the [libp2p Public Key Extension](#libp2p-public-key-extension). If this extension is missing, endpoints MUST abort the connection attempt. This extension MAY be marked critical. The certificate MAY contain other extensions; implementations MUST ignore extensions with unknown OIDs. Except as permitted by a future version of this specification, other extensions MUST NOT be critical. +The certificate MUST contain the [libp2p Public Key Extension](#libp2p-public-key-extension). If this extension is missing, endpoints MUST abort the connection attempt. This extension MAY be marked critical. The certificate MAY contain other extensions. Implementations MUST ignore non-critical extensions with unknown OIDs. Endpoints MUST abort the connection attempt if the certificate contains critical extensions that the endpoint does not understand. Certificates MUST omit the deprecated `subjectUniqueId` and `issuerUniqueId` fields. Endpoints MAY abort the connection attempt if either is present.